Information Technology General Controls - November 2010

IT General Controls AuditReleased November 2010Download the Full Report hereDownload highlights hereWe undertook this audit because prior audits identified problems with specific information system applications. The city’s chief information officer also expressed concerns about inadequate staffing, risks to network security, and lack of disaster recovery and business continuity plans.

We found:

Areas where policies were inadequate

The department lacks disaster recovery and business continuity plans

The department lacks procedures to monitor security logs

The department does not know what regulatory requirements it must follow

Control for changes to city systems were not always followed

Numerous employees who no longer work for the city retained access to Oracle and the network

Omissions and errors in the department's staffing analysis overstated staffing needs in some areas and understated in others